masscan icon indicating copy to clipboard operation
masscan copied to clipboard

Published 20 hours ago verified publisher icon robertdavidgraham

In IPv6 network, router MAC address is set to a link local router

Open ericwong3 opened this issue 3 years ago • 1 comments

Thank you for the great work for IPv6 @robertdavidgraham ! However, I am experiencing a similar issue that an incorrect router-mac is used and thus nothing returns from the scan.

In relation to #541, this time it indeed used some IPv6 neighbor as the router MAC. However, it did not pick the real router's MAC, but apparently it picked a "router" on the link-local network of the default interface.

There are multiple interfaces on this host and we are primarily using ens3. It is the default gateway's interface, and the scan should also be ran via that interface.

Here is the scan command output:

$ sudo ./masscan -p22 2001:c020:101:551f:a163:2:0:1 -vv
[sudo] password for myuser: 
[+] pcap: found library: libpcap.so
pfring: error: dlopen('libpfring.so'): No such file or directory
[+] interface = ens3
[+] if(ens3): pcap: libpcap version 1.8.1
[+] if(ens3): opening...
[+] if(ens3): successfully opened
[+] interface-type = 1
if:ens3: not receiving transmits
if:ens3: type=ethernet(1)
[+] source-mac = fa-01-09-2b-08-fb
[+] source-ip = [2001:c010:101:5476:1c02:2::11e]
[+] IPv6.prefix = 2001:c010:101:5476:/64
[+] router-mac-ipv6 = fa-01-0d-e8-80-29     
[+] if(ens3): initialization done.
Starting masscan 1.3.2 (http://bit.ly/14GZzcT) at 2021-06-22 02:58:53 GMT
Initiating SYN Stealth Scan
Scanning 1 hosts [1 port/host]
[+] starting transmit thread #0
[+] starting throttler: rate = 100.00-pps
[+] starting receive thread #0
[+] transmit thread #0 complete
[+] THREAD: recv: starting main loop
[+] waiting for threads to finish
[+] exiting receive thread #0                    ound=0        
[+] exiting transmit thread #0                    
[+] all threads have exited

The router-mac-ipv6 will cycle between scans and output fa-01-0d-e8-80-29 / fa-01-0b-d1-c5-82 / fa-01-03-99-f4-66, and the corresponding entries in ip neigh output is as follow:

fe80::f801:dff:fee8:8029 dev ens3 lladdr fa:01:0d:e8:80:29 router STALE
fe80::f801:bff:fed1:c582 dev ens3 lladdr fa:01:0b:d1:c5:82 router STALE
fe80::f801:3ff:fe99:f466 dev ens3 lladdr fa:01:03:99:f4:66 router STALE

===

The real gateway and it's MAC should be as follow:

$ ip -6 route
(omitted)
default via 2001:c010:101:5476::ffff dev ens3 proto kernel metric 101 pref medium
default via 2001:c010:101:27e6::ffff dev ens7 metric 102 pref medium
default via 2001:c010:101:15dd::ffff dev ens8 metric 103 pref medium
default via 2001:c010:101:53e9::ffff dev ens9 metric 104 pref medium
default via 2001:c010:101:66b9::ffff dev ens6 metric 105 pref medium
(omitted)

$ ip neigh | grep 2001:c010:101:5476::ffff
2001:c010:101:5476::ffff dev ens3 lladdr 00:22:bd:f8:19:ff router REACHABLE

The real router MAC should therefore be 00:22:bd:f8:19:ff

===

Scanning will indeed work if I specify the router-mac:

$ sudo ./masscan -p22 2001:c020:101:551f:a163:2:0:1 --router-mac 00:22:bd:f8:19:ff
Starting masscan 1.3.2 (http://bit.ly/14GZzcT) at 2021-06-22 03:55:02 GMT
Initiating SYN Stealth Scan
Scanning 1 hosts [1 port/host]
Discovered open port 22/tcp on 2001:c020:101:551f:a163:2::1

ericwong3 avatar Jun 22 '21 04:06 ericwong3

Yea, manual setting of --router-mac is the way to go for the moment. I'm going to have to do a better job of either asking the operating system for it's desired router, or parsing Neighbor Notification packets to get the right router. I'm going to have to setup my lab to reproduce this, so it'll take a while.

robertdavidgraham avatar Jul 07 '21 17:07 robertdavidgraham